Rather than the ransomware attack that has affected organisations around the globe being over, some are warning that another attack could be imminent. Europol chief Rob Wainwright has today warned that the ransomware was being combined with a worm application allowing the “infection of one computer to quickly spread across the networks”. Security experts respond:

Gavin Millard, EMEA Technical Director of Tenable Network Security:

“With the success of the initial infection of WannaCry, it wouldn’t be at all surprising to see the next iteration released soon. Although there has been a significant amount of interest in the media and inescapable coverage of the outbreak, many systems will still be lacking the MS17-010 patch required to mitigate the threat.

“For users that are rightfully concerned about another wannacry wave, updating their system to remove the vulnerability that it targets and blocking SMB traffic (Ports 139 and/or 445) to any system that can’t be updated is critically important.

“A quick check on Shodan, the search engine for devices connected to the internet, yielded 229,000 Windows systems with SMB exposed and remotely accessible. Not all of these will be vulnerable, but many could well be leverage to spread this aggressive ransomware further or be a point of entry into organisations.”

Chris Doman, security researcher at AlienVault:

“New variants today are now spreading with a modified kill-switch domain. Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain. That allowed it to continue propagating again.

“Thankfully some researchers are already registering the new domains as they identify them. The cat-and-mouse will likely continue until someone makes a larger change to the malware, removing the kill-switch functionality completely. At that point, it will be harder to stop new variants.

“The internet scanning service Shodan shows approximately half a million networks with the vulnerable service exposed to the internet in the US, and almost 20,000 in the UK. Most of those systems will have been patched by now, but a significant proportion won’t have been.

“We all had a heads-up on the WannaCry attacks. Over 100,000 machines were found to be vulnerable to related attacks back in April. And 1 out of every 3 NHS trusts was hit with ransomware last year. The NHS is particularly vulnerable to ransomware as they have critical systems with patch-work security.

“The UK government has some of the best cyber-security experts in the world. But it’s simply not possible to deploy them to every local NHS trust to enforce high security.

“But more could be done. Australia is notable for their success in enforcing higher than average security across government. Departments are mandated to enforce 4 technical controls. The first attacks would have been limited by the first two controls – application whitelisting and regular patching. Enforcing these controls on legacy systems requires a significant investment in personnel.”

Javvad Malik, security advocate at AlienVault, has the following insights around the cyber resilience of the NHS:

“Regarding blame, it’s not a simple or straightforward case of placing the blame on any one aspect.

“On one hand, there’s a debate ongoing about responsible disclosure practices. Should the NSA have sat on vulnerabilities for so long that when Shadowbrokers released the details it left a small window for enterprises to upgrade their systems.

“On the other hand, there are several so-called “simple” steps the NHS or other similar organisations could take to protect themselves, these would include:

  1. Upgrading systems
  2. Patching systems
  3. Maintaining support contracts for out of date operating systems
  4. Architecting infrastructure to be more secure
  5. Acquiring and implementing additional security tools.

“The reality is that while any of these defensive measures could have prevented or minimised the attack, none of these are easy for many enterprises to impalement.

“Sometimes the infrastructure or endpoint devices aren’t all controlled by IT. Also, patching or updating a system, can sometimes lead to other dependent applications breaking or having other issues. For example, the operating system can’t be updated until another vendor updates their software, which in turn can’t be updated until an in-house custom application is updated.

“There are many other technical nuances; but it boils down to risk management. And often times if systems are working as desired with no issues, then they will be continued to run as such, especially where the costs of upgrading is a taxpayer expense.

“That’s not to say any of the security measures shouldn’t be implemented. In an ideal world it would be good to see no legacy systems, regular patching, and securely architected infrastructure. Unfortunately, that is the exception for most companies; not the rule. So while it’s easy to simply say that the government should have put more money into systems; it’s more a case of the senior decision-makers and purse string holders to understand the exposure they run, the pros and cons, and the potential impact. Only then can decisions be made that can result in meaningful change.”

 

Tags: , , , ,